Vulnerability and threat mitigation features in Red Hat Enterprise Linux

Updated -

Red Hat Enterprise Linux versions have included a number of vulnerability and threat mitigation features. This table gives a summary of the features and the versions they appear in.

For additional information, please refer to the Fedora Security Features Matrix.

Features Red Hat Enterprise Linux Version
3 4 5 6 7 8 9
2003 Oct 2005 Feb 2007 Mar 2010 Nov 2014 Jun 2019 May 2022 May
Firewall by default Y Y Y Y Y Y Y
Signed updates required by default Y Y Y Y Y Y Y
NX emulation using segment limits by default Y (since 9/2004) Y Y Y Y Y Y
Support for Position Independent Executables (PIE) Y (since 9/2004) Y Y Y Y Y Y
Address Randomization (ASLR) for Stack/mmap by default Y (since 9/2004) Y Y Y Y Y Y
ASLR for vDSO (if vDSO enabled) no vDSO Y Y Y Y Y Y
Support for NULL pointer dereference protection Y (since 11/2009) Y (since 9/2009) Y (since 5/2008) Y Y Y Y
NX for supported processors/kernels by default Y (since 9/2004) Y Y Y Y Y Y
Support for block module loading via cap-bound sysctl tunable or /proc/sys/kernel/cap-bound Y Y Y no cap-bound no cap-bound no cap-bound no cap-bound
Restricted access to kernel memory by default
Y Y Y Y Y Y
Support for SELinux
Y Y Y Y Y Y
SELinux enabled with targeted policy by default
Y Y Y Y Y Y
glibc heap/memory checks by default
Y Y Y Y Y Y
Support for FORTIFY_SOURCE, used on selected packages
Y Y Y Y Y Y
Support for ELF Data Hardening
Y Y Y Y Y Y
All packages compiled using FORTIFY_SOURCE

Y Y Y Y Y
All packages compiled with stack smashing protection

Y Y Y Y Y
SELinux Executable Memory Protection

Y Y Y Y Y
glibc pointer encryption by default

Y Y Y Y Y
Enabled NULL pointer dereference protection by default

Y (since 5/2008) Y Y Y Y
Enabled write-protection for kernel read-only data structures by default

Y Y Y Y Y
FORTIFY_SOURCE extensions including C++ coverage


Y Y Y Y
Support for block module loading via modules_disabled sysctl tunable or /proc/sys/kernel/modules_disabled


Y Y Y Y
Support for SELinux to restrict the loading of kernel modules by unprivileged processes in confined domains


Y Y Y Y
Enabled kernel -fstack-protector buffer overflow detection by default


Y Y Y Y
Support for sVirt labelling to provide security over guest instances


Y Y Y Y
Support for SELinux to confine users' access on a system


Y Y Y Y
Support for SELinux to test untrusted content via a sandbox


Y Y Y Y
Support for SELinux X Access Control Extension (XACE)


Y Y Y Y
Stronger stack smashing protection (-fstack-protector-strong)



Y Y Y
Available protection against USB security attacks



Y (since 7.4) Y Y
Only TLS 1.2 and above allowed in the default crypto policy




Y Y
All packages compiled with stack clashing protection




Y Y
Automatic annotation of system binaries and executables for examination of their security profile




Y Y
Golang: FIPS compliance support




Y (since 8.2) Y
Support for Network Time Security




Y (since 8.5) Y
OpenSSH with U2F/FIDO security keys support





Y

Please note this table is for the most common architectures, x86 and x86_64 only and feature support for other supported architectures may vary.

Comments